Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2022 22:47
Static task
static1
Behavioral task
behavioral1
Sample
jetsduu7564.exe
Resource
win7-20220901-en
General
-
Target
jetsduu7564.exe
-
Size
222KB
-
MD5
75dc2f78f5b5c89fbee266137feec698
-
SHA1
0b2f0dd1cd2909336a6a3f553f7c7e30e4557c1b
-
SHA256
ca9dc37d5af616843ef202f89a4ce2cef6fbbc3bce92456193af9cc77bea1af0
-
SHA512
823d6c55719ff22634fa7c3538768e5dbfe65ff9944dda228b541dbaac33d00367c2e8eb2530eb40fcdf11692e96bd5bc91d51348afe2998ef84527462b3f9b4
-
SSDEEP
3072:WfJSq+ytGIon9KcSMNDd7ul1JUx6edox1vva7m8f4xQ3bWoG5hlYkE83EHduo9IM:MEa0NXUM6QA9dtE8y+pct1v
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3756-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/936-145-0x0000000001230000-0x000000000125F000-memory.dmp formbook behavioral2/memory/936-149-0x0000000001230000-0x000000000125F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
dufjl.exedufjl.exepid process 4440 dufjl.exe 3756 dufjl.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dufjl.exedufjl.execontrol.exedescription pid process target process PID 4440 set thread context of 3756 4440 dufjl.exe dufjl.exe PID 3756 set thread context of 3032 3756 dufjl.exe Explorer.EXE PID 936 set thread context of 3032 936 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
dufjl.execontrol.exepid process 3756 dufjl.exe 3756 dufjl.exe 3756 dufjl.exe 3756 dufjl.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe 936 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
dufjl.exedufjl.execontrol.exepid process 4440 dufjl.exe 3756 dufjl.exe 3756 dufjl.exe 3756 dufjl.exe 936 control.exe 936 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dufjl.execontrol.exedescription pid process Token: SeDebugPrivilege 3756 dufjl.exe Token: SeDebugPrivilege 936 control.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
jetsduu7564.exedufjl.exeExplorer.EXEcontrol.exedescription pid process target process PID 1180 wrote to memory of 4440 1180 jetsduu7564.exe dufjl.exe PID 1180 wrote to memory of 4440 1180 jetsduu7564.exe dufjl.exe PID 1180 wrote to memory of 4440 1180 jetsduu7564.exe dufjl.exe PID 4440 wrote to memory of 3756 4440 dufjl.exe dufjl.exe PID 4440 wrote to memory of 3756 4440 dufjl.exe dufjl.exe PID 4440 wrote to memory of 3756 4440 dufjl.exe dufjl.exe PID 4440 wrote to memory of 3756 4440 dufjl.exe dufjl.exe PID 3032 wrote to memory of 936 3032 Explorer.EXE control.exe PID 3032 wrote to memory of 936 3032 Explorer.EXE control.exe PID 3032 wrote to memory of 936 3032 Explorer.EXE control.exe PID 936 wrote to memory of 4808 936 control.exe cmd.exe PID 936 wrote to memory of 4808 936 control.exe cmd.exe PID 936 wrote to memory of 4808 936 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\jetsduu7564.exe"C:\Users\Admin\AppData\Local\Temp\jetsduu7564.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\dufjl.exe"C:\Users\Admin\AppData\Local\Temp\dufjl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\dufjl.exe"C:\Users\Admin\AppData\Local\Temp\dufjl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3756 -
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:4216
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dufjl.exe"3⤵PID:4808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cpaswq.kjFilesize
185KB
MD5e2d0bcb6f272fb13c8d5f4e0fafcd7ef
SHA1705c2f283f217983108d2d14bec2dd05ba84cb97
SHA256cdf8be85aca508ae572693b876b9f3daacf2cf6e80c01534d04b97b61879526e
SHA512c4583b159625f0fe32d02dfe05169f8b54aadc1169498ba6b58ec34d3056432f24cf46532a2aa0acdc717ef821963da4100feeec7083f32672b884ac91deed95
-
C:\Users\Admin\AppData\Local\Temp\dufjl.exeFilesize
6KB
MD574cbafe65a6f4de0cca11172f174b1fd
SHA1515a076a1f3e5ea4290024e8d17a01df8b7569ce
SHA25636c72fdce14ac0b58ca33cc96891c957e819aef91e0fb9ae0ada132105326df0
SHA5120e7bb057721a2317fabfa520a6fac65be461c8ff5f6845a15b04b8914016ab1dcc4ecdc3f7a91c3ce1d4b59b88991e7cb4e03c31a9822f8ed0d4a20a20a1ea94
-
C:\Users\Admin\AppData\Local\Temp\dufjl.exeFilesize
6KB
MD574cbafe65a6f4de0cca11172f174b1fd
SHA1515a076a1f3e5ea4290024e8d17a01df8b7569ce
SHA25636c72fdce14ac0b58ca33cc96891c957e819aef91e0fb9ae0ada132105326df0
SHA5120e7bb057721a2317fabfa520a6fac65be461c8ff5f6845a15b04b8914016ab1dcc4ecdc3f7a91c3ce1d4b59b88991e7cb4e03c31a9822f8ed0d4a20a20a1ea94
-
C:\Users\Admin\AppData\Local\Temp\dufjl.exeFilesize
6KB
MD574cbafe65a6f4de0cca11172f174b1fd
SHA1515a076a1f3e5ea4290024e8d17a01df8b7569ce
SHA25636c72fdce14ac0b58ca33cc96891c957e819aef91e0fb9ae0ada132105326df0
SHA5120e7bb057721a2317fabfa520a6fac65be461c8ff5f6845a15b04b8914016ab1dcc4ecdc3f7a91c3ce1d4b59b88991e7cb4e03c31a9822f8ed0d4a20a20a1ea94
-
C:\Users\Admin\AppData\Local\Temp\szvgcg.vcFilesize
5KB
MD516f17c0cd30705a753aeb3a307ff26ed
SHA1b910a46922b4e8911638d9295e83f970214df676
SHA2569e292156b1545d54b76eee5c885fe16256cfc2d575a9f235480e66d3e5780677
SHA5125a808bff270ebf1edaa47e702b0f6ce3987cd8d6f141d6a6a36495448d0ccf1f485a2af694588bede83f435815eb7e0245368d00e8464e43c6c4a82f110299ec
-
memory/936-143-0x0000000000000000-mapping.dmp
-
memory/936-149-0x0000000001230000-0x000000000125F000-memory.dmpFilesize
188KB
-
memory/936-148-0x0000000002F60000-0x0000000002FF3000-memory.dmpFilesize
588KB
-
memory/936-147-0x0000000003230000-0x000000000357A000-memory.dmpFilesize
3.3MB
-
memory/936-145-0x0000000001230000-0x000000000125F000-memory.dmpFilesize
188KB
-
memory/936-144-0x00000000004F0000-0x0000000000517000-memory.dmpFilesize
156KB
-
memory/3032-142-0x0000000002F20000-0x0000000002FEA000-memory.dmpFilesize
808KB
-
memory/3032-150-0x0000000008100000-0x000000000826E000-memory.dmpFilesize
1.4MB
-
memory/3032-151-0x0000000008100000-0x000000000826E000-memory.dmpFilesize
1.4MB
-
memory/3756-141-0x0000000001700000-0x0000000001714000-memory.dmpFilesize
80KB
-
memory/3756-140-0x0000000001730000-0x0000000001A7A000-memory.dmpFilesize
3.3MB
-
memory/3756-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3756-137-0x0000000000000000-mapping.dmp
-
memory/4440-132-0x0000000000000000-mapping.dmp
-
memory/4808-146-0x0000000000000000-mapping.dmp